Domain 4 · 4.5 Enterprise Capabilities

4.5.3 OS Security

Group Policy, SELinux.

17 min

Operating System (OS) hardening involves applying configurations and security controls to reduce a system's attack surface and protect the integrity of the data it processes.

OS Security Principles Security professionals must balance the inversely proportional relationship between functionality and security. Increasing security often decreases ease of use, and implementing robust controls requires finite organizational resources. The primary goal is maintaining the CIA Triad: Confidentiality, Integrity, and Availability.

Windows Group Policy Group Policy is a hierarchical infrastructure that allows network administrators to implement specific configurations for users and computers across an Active Directory environment. - GPOs (Group Policy Objects): Collections of settings that define how a system will look and behave for a defined group of users. - Security Templates: Standardized text files containing security settings that can be imported into a GPO to ensure consistent hardening across the enterprise. - Account Policies: Used to enforce password complexity, expiration, and account lockout thresholds to prevent brute-force attacks. - Registry Settings: Admins can use GPOs to disable hardware (like USB ports) or restrict access to the Command Prompt to limit a user’s ability to bypass security.

Security-Enhanced Linux (SELinux) SELinux is a kernel security module that provides a mechanism for supporting Mandatory Access Control (MAC), moving beyond the traditional Discretionary Access Control (DAC) found in standard Linux. - Enforcing Mode: The default level where SELinux active-denies access and logs all attempts that violate the security policy. - Permissive Mode: The system logs security policy violations but does not block the actions; this is primarily used for troubleshooting. - Labeling: SELinux assigns a "context" or label to every process, file, and directory. Access is only granted if the policy explicitly allows the subject’s label to interact with the object’s label. - Least Privilege: By using MAC, SELinux ensures that even if a service is compromised (like a web server), the attacker is confined to that specific process's boundaries.

Hardening and Security Posture A strong security posture requires continuous management of system configurations to mitigate risks from negligent or malicious actors. - Baselines: Establishing a "known good" configuration state to measure deviations against. - Attribute-Based Access Control (ABAC): Using complex rules (like time of day or location) to govern OS access, often managed through central policy engines.

Quick recall - Inversely Proportional: As security increases, functionality or ease-of-use typically decreases. - GPO Hierarchy: Applied in LSDOU order (Local, Site, Domain, Organizational Unit). - MAC (Mandatory Access Control): The core logic of SELinux; prevents users from changing permissions on files they own if it violates policy. - Audit Logs: Both Group Policy and SELinux generate logs essential for monitoring the "Integrity" of the CIA triad.